(Updated June 2024)
College for Creative Studies (CCS) recognizes that in certain instances it must collect, store and use sensitive information relating to its students, employees and individuals associated with the College. The College is dedicated to collecting, handling, storing and using sensitive information properly and securely.
In addition to this policy, all faculty, staff, and students are required to adhere to the College’s Acceptable Use of Academic Technologies and Information Technologies Resources Policy.
Reason For Policy
This policy establishes an Information Security Plan to create administrative, technical, and physical safeguards for the protection of sensitive information throughout the College. The purpose of this Plan is to comply with applicable laws and to:
- Provide a framework for comprehensive stewardship of sensitive information
- Increase awareness of the confidential nature of sensitive information
- Eliminate unnecessary collection and use of sensitive information
- Protect against anticipated threats or hazards to the security or integrity of sensitive information and
- Protect against unauthorized access to or use of sensitive information in a manner that creates a substantial risk of identity theft, fraud or other misuses of the data
College Roles Affected by Policy
Any member of the CCS community, including all faculty, staff and students, who has access to College records that contain sensitive information must comply with this policy.
Every member of the College community should strive to minimize the collection, handling, storage and use of sensitive data. Only those who have a legitimate business need to access sensitive information should do so, and for as limited as time as possible. College Employees may request, collect, store or use sensitive information only as permitted by this policy, the Data Protection Requirements and practices required by his or her department.
Qualified Individual and Privacy and Security Committee
The following roles are leading the College’s efforts described in this Information Security Plan:
Chief Information Officer (Qualified Individual)
The College’s Chief Information Officer is designated as the Information Security Program Coordinator (Qualified Individual). The Program Coordinator, with the assistance of the Privacy and Security Committee (the “Committee”), is charged with the administration of this policy, including developing procedures concerning the review, oversight, and governance of this policy, including any necessary training.
The Program Coordinator shall, in consultation with the Privacy and Security Committee, maintain a list of categories of information that will be included within the definition of sensitive information and prescribe appropriate levels of protection in a series of procedures collectively known as the Data Protection Standards. The Program Coordinator may consult with the Committee and charge the Committee with responsibilities concerning the administration and review of this policy.
The Program Coordinator shall provide a mechanism for reporting any suspected breach of security and shall respond to any reported breach of security as outlined further down in this document.
Privacy And Security Committee
The Program Coordinator shall convene a Privacy and Security Committee to assist with the administration of this policy and to help ensure compliance. In addition, the Committee will assist with the annual risk assessment and employee data security training. The Committee members are as follows:
- Chief Information Officer
- Director of Information Technology
- Vice President of Finance, Chief Financial Officer
- Dean of Enrollment
- Dean of Students
- Dean of Academic Affairs
- Director of Academic Advising and Registrar
- Chief Human Resources Officer
- Director of Business Services
- Director of Financial Aid
- Executive Director Admissions
- Institutional Reporting and Compliance Manager
- Director of Advancement Operations
- Executive Director of Marketing and Communications
- Associate Director of Strategic Partnerships and Programs
Risk Safeguards
The following policies and procedures have been established to ensure the safety and integrity of all records held by the College.
Electronic Identity Policy
The electronic account policy defines criteria for granting and revoking access (through a login) to various information resources at CCS, which are provided as a means of promoting communications and supporting academic and administrative processes and workflows.
Accounts are granted and removed according to the following criteria:
Students
New degree seeking students receive electronic credentials after they are admitted and retain them during their time at the college. At least once per year, inactive accounts are subject to deletion. An account is considered inactive if any of the following are true:
- It has been at least one year since graduation, unless current usage is observed. Graduates now have lifetime access to email as long as they’re actively using it.
- The student has not attended CCS for four consecutive non-summer terms (i.e. meets criteria for re-admittance to the college).
- An admitted applicant did not enroll at the College.
Continuing education/PCS students will have electronic accounts active during their time of enrollment. Accounts for CE students are subject to deletion if they do not maintain enrollment in consecutive terms.
Faculty
Full-time faculty will receive an electronic account upon hire and will keep it during the term of employment. Adjunct faculty will receive an electronic account upon hire after an assignment to teach a course section has been recorded in the student information system. If adjuncts do not teach in consecutive semesters, their account may be deleted during those periods at the discretion of the Human Resources department. Faculty granted emeritus status will retain their electronic account privileges for life.
Staff
Staff will receive an electronic account upon hire and will keep it during the term of employment.
Standards and Responsibilities
- Create hard to guess passwords (minimum 8 characters, mixed case, include a number or special character). Do not use easy to guess words or sequences like ‘password’, ‘qwerty’, ‘12345’, etc.
- Do not share or disclose passwords to anyone. Exception: upon request, you may disclose to ITS staff directly engaged in the performance of their legitimate duties. In this case, change the password upon completion of the matter.
- Never use someone else’s credentials.
- Do not reuse the password you use at CCS for other non-related systems.
- Immediately change your password if you think your account has been compromised. Also contact the CCS helpdesk to report the concern.
- Use administrative privileges only as necessary for legitimate College purposes. Never use an administrative account to read email, surf the web, etc. Use the least privilege possible for any task.
- Never leave an unlocked device logged in and unattended. Lock your system/screen when stepping away from your computer.
Multi-Factor Authentication
CCS will employ multi-factor authentication (MFA) where possible to secure access to sensitive data and/or systems. The primary focus of MFA will be on access to those systems from off-campus via the Internet. In the event MFA cannot be used, compensating technologies and/or controls will be employed and documented. A list of systems and MFA status will be maintained internally.
Use of Encryption
CCS will follow applicable security standards for data encryption at rest and in transit unless there are technical reasons why that isn’t possible. In that event, compensating technologies and/or controls will be employed and documented.
Data Protection Standards
The Program Coordinator, in consultation with the Committee, shall identify categories of sensitive information and the appropriate safeguards required to protect each category. The Data Protection Standards shall specify administrative, technical and physical safeguards for the protection of sensitive information.
The Program Coordinator and the Committee will evaluate the effectiveness of the College’s procedures and practices relating to access to and use of student records, including financial aid information. This evaluation will include assessing the effectiveness of the College’s current policies and procedures in this area, including all handbooks (staff, faculty, and student), the CCS Policy Database and other student record policies).
Data Owner
A Data Owner is an individual or group of people who have been officially designated as accountable for specific data that is transmitted, used, and stored on a system or systems within a department or an administrative unit of the College.
CCS Data Owners are as follows:
Data | Owner |
Applicant, Inquiry, and Prospect Data | Dean of Enrollment and Executive Director of Admissions |
Donor Data, Alumni Employment Data | Vice President for Institutional Advancement |
Human Resource Data | Chief Human Resources Officer |
Payroll, All Student Accounts, and Financial Data | Director of Business Services |
Student Financial Aid Data | Director of Financial Aid |
Student Housing, Judicial, Student Disabilities Records, and Wellness Data | Dean of Students |
Student Immigration Data | Dean of Enrollment/Global Engagement Office |
All Student Records | Director of Academic Advising and Registrar |
The role of the data owners is to provide direct authority and control over the management and use of specific information. Responsibilities of the Data Owner include the following:
- Ensure compliance with CCS policies and all regulatory requirements.
Data Owners need to understand whether any College policies govern their information assets. Data Owners are responsible for understanding legal and contractual obligations surrounding information assets within their functional areas. For example, the Family Educational Rights and Privacy Act (“FERPA”) dictates requirements related to the handling of student information. The Privacy and Security Committee can assist Data Owners in gaining a better understanding of legal obligations. - Determine appropriate criteria for obtaining access to sensitive information assets. A Data Owner is accountable for who has access to information assets within their functional areas.
- Implement appropriate physical and technical safeguards to protect the confidentiality, integrity and availability of information assets.
- Document and disseminate administrative and operational procedures to ensure consistent storage, processing and transmission of information assets.
- Understand and report security risks and how they impact the confidentiality, integrity and availability of information assets. Report any violations of policy or breaches to the Director of Information Technology Services.
Data Users
All users have a critical role in the effort to protect and maintain College information systems and data. For the purpose of information security, a Data User is any employee, contractor or third-party provider of the College who is authorized to access College Information Systems and/or information assets. Responsibilities of data users include the following:
- Adhere to policies, guidelines and procedures pertaining to the protection of information assets.
- Report actual or suspected security and/or policy violations or breaches to the Chief Information Officer.
Data Classifications
College Data is information generated by or for, owned by, or otherwise in the possession of CCS that is related to the College’s activities. College Data may exist in any format (i.e. electronic, paper) and includes, but is not limited to, all academic, administrative, and research data, as well as the computing infrastructure and program code that supports the business of CCS.
To effectively secure College Data, we must have a vocabulary that we can use to describe the data and quantify the amount of protection required. This policy defines four categories into which all College Data can be divided:
Public
Public data is information that may be disclosed to any person regardless of their affiliation with the College. The Public classification is not limited to data that is of public interest or intended to be distributed to the public; the classification applies to data that do not require any level of protection from disclosure. While it may be necessary to protect original (source) documents from unauthorized modification, Public data may be shared with a broad audience both within and outside the College community and no steps need be taken to prevent its distribution.
Examples of Public Data
- Press releases
- Directory information as defined by the Family Educational Rights and Privacy Act (FERPA)
- Course catalogs
- Information a department would choose to post on its website
- Other general information that is openly shared
Internal
Internal data is information that is potentially sensitive and is not intended to be shared with the public. Internal data generally should not be disclosed outside of the College without the permission of the person or group that created the data. It is the responsibility of the data owner to designate information as Internal where appropriate. If you have questions about whether information is internal or how to treat internal data, you should talk to your supervisor.
Examples of Internal Data
- Some memos, correspondence, and meeting minutes
- Contact lists that contain information that is not publicly available
- Procedural documentation that should remain private
Confidential
Confidential data is information that, if made available to unauthorized parties, may adversely affect individuals or the business of CCS. This classification also includes data that the College is required to keep confidential, either by law (e.g., FERPA, GLBA, GDPR) or under a confidentiality agreement with a third party, such as a vendor. This information should be protected against unauthorized disclosure or modification.
Confidential data should be used only when necessary for business purposes and should be protected both when it is in use and when it is being stored or transported.
Any unauthorized disclosure or loss of confidential data must be immediately reported to the ITS Helpdesk (https://helpdesk.collegeforcreativestudies.edu, 313-664-7818) as well as the immediate supervisor or another available person in the chain of authority.
Examples of Confidential Data
- Information covered by the Family Educational Rights and Privacy Act (FERPA), which requires protection of records for current and former students. This includes pictures of students kept for official purposes.
- Personally identifiable information entrusted to our care that is not otherwise categorized as Restricted Use data, such as information regarding applicants, alumni, donors, potential donors, or parents of current or former students, and information covered by the European Union’s General Data Protection Regulation (GDPR).
- The CCS ID Number, when stored with other identifiable information such as name or e-mail address.
- Information covered by the Gramm-Leach-Bliley Act (GLBA), which requires protection of certain financial records.
- Individual employment information, including salary, benefits and performance appraisals for current, former, and prospective employees.
- Legally privileged information.
- Information that is the subject of a confidentiality agreement.
Restricted
Restricted Use data includes any information that CCS has a contractual, legal, or regulatory obligation to safeguard in the most stringent manner. In some cases, unauthorized disclosure or loss of this data would require the College to notify the affected individual and state or federal authorities.
The College’s obligations will depend on the particular data and the relevant contract or laws. The End User Device Minimum Security Standards sets a baseline for all Restricted Use data.
Any unauthorized disclosure or loss of confidential data must be immediately reported to the ITS Helpdesk (https://helpdesk.collegeforcreativestudies.edu, 313-664-7818) as well as the immediate supervisor or another available person in the chain of authority.
Examples of Restricted Data
- Personally identifiable health information that is not subject to HIPAA but used in research, such as Human Research Subjects.
- Personally Identifiable Information (PII), including an individual’s name plus the individual’s Social Security Number, driver’s license number, or a financial account number.
- Unencrypted data used to authenticate or authorize individuals to use electronic resources, such as passwords, keys, and other electronic tokens.
- “Criminal Background Data” that might be collected as part of an application form or a background check.
More stringent requirements exist for some types of Restricted Use data. Individuals working with the following types of data must follow the College policies governing those types of data and consult with the Director of Information Technology Services to ensure they meet all of the requirements of their data type:
- Protected Health Information (PHI) subject to the Health Insurance Portability and Accountability Act (HIPAA).
- Financial account numbers covered by the Payment Card Industry Data Security Standard (PCI-DSS), which controls how credit card information is accepted, used, and stored.
- Controlled Unclassified Information required to be compliant with NIST 800.171
- Data controlled by U.S. Export Control Law such as the International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR). ITAR and EAR have additional requirements.
- U.S. Government Classified Data
Resolving Conflicts Between This Guideline and Other Regulations
Some data may be subject to specific protection requirements under a contract or grant, or according to a law or regulation not described here. In those circumstances, the most restrictive protection requirements should apply. If you have questions, please contact a member of the Committee.
Data Classification and Protection Requirements
This Guideline provides the requirements for handling and protecting information at each stage of its lifecycle from creation to destruction and the minimum-security standards required for any electronic device that may be used to access or store sensitive information owned or used by CCS. The data handling protections outlined here apply to all sensitive information, both physical and electronic, throughout all of CCS.
Sensitive information is College data that is classified as Internal, Confidential, or Restricted Use. See the Data Classifications section for definitions and examples of each of these classifications.
Public (non-sensitive) information does not require any level of protection from disclosure, but appropriate precautions should be taken to protect original (source) documents from unauthorized modification.
Exceptions
CCS ITS is authorized to grant exceptions to the requirements set forth in this document. Any exception granted will require a thorough review of the situation and will be based on the implementation of appropriate compensating controls.
Information Lifecycle
The information lifecycle is the progression of stages or states in which a piece of information may exist between its original creation and final destruction. These phases are: collecting, accessing, sharing, sending, storing, auditing, incident reporting and destroying.
It is important to understand that Storing refers to a broad spectrum of activities including putting a file in a filing cabinet or on to a file server or entering information into a database or spreadsheet. The requirements for storing information apply equally to the source and to any copies made. For example, when a file is downloaded or copied from a file server to a laptop computer for use offline, it is stored in that new location and all of the storing requirements must be followed.
Requirements For Protection
Each classification of data has different requirements for protection throughout the lifecycle of use. The requirements for each Internal Data, Confidential Data, & Restricted Use Data are detailed below.
Internal Data
Collecting | No restrictions. | |
Accessing | Access should be provided as required for business devices used to access sensitive (non-Public) information. Such access must meet End User Device Minimum Standards. | |
Sharing | Share with employees as needed. Share with vendors/third-parties as approved by department head. | |
Sending | Paper | Send in a manner that protects the information from incidental or casual reading. |
Electronic | Use a method that requires recipient to authenticate prior to receipt, such as email, a web site that requires Web Login, or a file server that requires a password. Use secure email service for more private data. | |
Storing | Paper | Keep in non-public areas when not in use. |
Electronic | Devices used to store sensitive (non-Public) information must meet End User Device Minimum Standards. | |
Electronic Media (CD, DVD, USB, etc.) | Store media in a non-public location when not in use. | |
Auditing | ALL | Conduct a periodic review of where this data is located, who has access to it, the access control mechanisms, encryption protocols, and data destruction protocols. |
Incident Reporting | ALL | Report the loss of any Internal Data to your supervisor who will determine the requirements, if any, for further reporting. |
Destroying | ALL | Review Record Retention Policy before disposing of records. |
Paper & Disposable Electronic Media (CDs, DVDs) | For Internal documents with sensitive content, shred materials before disposing of them. | |
Electronic Files (Data) Reusable Electronic Storage Devices (USB keys, disk drives) | Use standard operating system utilities to delete files. | |
All Electronic Storage Media at End of Life, including Disk Drives | Contact Information Technology Service for secure destruction of all physical electronic media. Do not dispose of in the trash, recycle, etc. |
Confidential Data
Collecting | Reduce or eliminate collection where not required for business function. Collection of some types of Confidential data about individuals may require the approval of the appropriate Data Owner(s). | |
Accessing | Access to some Confidential data requires approval of a Data Owner on a per-individual basis. See the list of the Data Owners above. Devices used to access sensitive (non-Public) information must meet End–User Device Minimum Standards. Ensure protocols are in place to immediately remove access upon change in employment status of any individual with access. | |
Sharing | If you are uncertain if a piece of Confidential information should be shared, escalate the request to an appropriate supervisor or Data Owner. For types of data that are governed by a Data Owner, this information may be shared only for business purposes and only as approved by the appropriate Data Owner except where the information is being given to approved custodians of that type of data. Information concerning a small number of individuals may be shared internally without Owner review if the recipient of the data has a need-to-know and is entrusted with the same type of information for their job function. Note: Non-disclosure language or a confidentiality agreement may be appropriate. For example: * Grades need to be communicated to the Academic Advising and Registration Office * Faculty may consult with other faculty about a student’s performance, as appropriate. * Sharing information with vendors and third-parties requires Data Owner approval For types of data that are not governed by a Data Owner, the information may be shared internally on a need-to-know basis. Information may be shared with the subject of the record or with another party with the subject’s approval, as appropriate. | |
Printing, Copying, and Scanning | Printing, Copying, and Scanning | Printers often store the printed document on a local hard drive, potentially allowing unauthorized access to the information. Avoid printing Confidential data unnecessarily. |
Sending | Paper | Address to the specific intended party and send in sealed security envelopes. Mark with “For intended recipient only”. Outside the College, paper should be sent via certified mail or with an authorized courier. |
Electronic | Particularly sensitive data or large volumes of confidential data should be encrypted during transmission. Do not email confidential data – provide a secure link instead. If confidential information is to be stored on removable media (CD/DVD/USB/External HD) or in the cloud, see the section below regarding the proper storage. | |
Fax | Fax machines often store the faxed messages in memory, potentially allowing unauthorized access. Consider alternatives to faxing Confidential data where possible. If a fax must be used, consider taking reasonable steps to protect the data, including the use of a cover sheet stating that the fax is Confidential and to be read only by the named recipient. Also consider coordinating with the intended recipient so he or she is on hand to directly receive the fax before you begin to send. | |
Smart Phones and tablet devices (such as iPads) | The use of smart phones to access Confidential data, such as through email, puts that data at higher risk of unintended disclosure Individuals accessing Confidential Data via such a device must comply with the standards set forth in End User Device Minimum Standards | |
Storing | Paper | Should be stored in physically secure areas that are accessible only by authorized individuals. The number of copies should be kept to a minimum. |
Electronic | Encryption of stored data is recommended. Devices used to store Confidential Information must meet End–User Device Minimum Standards. Cloud services may be used if they have been approved for this purpose by Information Technology Services. | |
Electronic Media (CD, DVD, USB, etc.) | Encryption of stored data is recommended. Store media in a secure location when not in use. Media should be erased or destroyed as soon as it is no longer needed. | |
Auditing | ALL | Each unit or department should conduct periodic reviews of where Confidential data is located, who has access to it, the access control mechanisms, encryption protocols, and data destruction protocols. Verify that procedures for removing access are documented and accurate. |
Incident Reporting | ALL | Any unauthorized disclosure or loss of Confidential data must be immediately reported to the ITS Helpdesk (https://helpdesk.collegeforcreativestudies.edu, 313-664-7818) as well as the immediate supervisor or other available person in chain of authority. |
Destroying | ALL | Review Record Retention Policy and the information in this destruction section before disposing of records. Do not destroy records that are the subject of a litigation hold or that must be retained pursuant to the College record retention policy. |
Paper & Disposable Electronic Media (CDs, DVDs) | Dispose of paper media via College approved shred boxes. Contact Information Technology Service for secure destruction of all physical electronic media. Do not dispose of in the trash, recycle, etc. | |
Electronic Files (Data) Reusable Electronic Storage Devices (USB keys, disk drives) | ||
All Electronic Storage Media at End of Life, including Disk Drives | ||
Device End of Lease or End of Life (Printers, Copiers, Multi-function office machines) | Devices such as these often contain hard drives which must be properly erased, or “wiped”, prior to leaving CCS control (returned to the vendor, sent to surplus, donated, disposed of, etc.). For information on how to properly wipe the drive, contact Information Technology Services. |
Restricted Use Data
Collecting | Eliminate collection whenever possible. Collection of Restricted Use data about individuals must be approved by and provided to the appropriate Data Owner. See the list of the Data Owners above. | |
Accessing | Access to Restricted Use data requires approval of a Data Owner. Avoid accessing or using Restricted Use data whenever possible, and do so from as few different devices as possible. Devices used to access Restricted Use information must meet end user device minimum standards for Restricted Use information. The custodian of the system or information must immediately remove access from any person that no longer requires that access as part of their job function. | |
Sharing | If you are uncertain if a piece of Restricted Use information should be shared, escalate the request to an appropriate supervisor or Data Owner. This information may be shared only for need-to-know business purposes and only as approved by the appropriate Data Owner, except where the information is being given to approved custodians of that type of data. Information concerning a small number of individuals may be shared internally without Owner review if the recipient of the data has a need-to-know and is entrusted with the same type of information for their job function. Note: Sharing student or employee information with third-party vendors requires review and approval by the Chief Information Officer to ensure that the vendor has the proper terms of use, privacy, and security measures in place. Once approved by the Chief Information Officer, the appropriate College representative may sign the vendor agreement. Information may be shared with the subject of the record or with another party with the subject’s approval, as appropriate. | |
Printing, Copying, and Scanning | Printing, Copying, and Scanning | Printers often store the printed document on a local hard drive, potentially allowing unauthorized access to the information. Avoid printing Restricted Use data unnecessarily. |
Sending | Paper | Address to the specific intended party and send in sealed security envelopes. Mark with “For intended recipient only”. Outside the College, paper must be sent via certified mail or with an authorized courier. |
Electronic | Data is required to be encrypted during transmission. If Restricted Use data must be placed on removable media (CD/DVD/USB/External HD) or in the cloud, it must be properly protected. See the section below regarding proper storage. If Restricted Use data must not be sent via email – use a secure link instead. Compensating controls must be formally documented and an exception approved by ITS where this is not technically possible. | |
Fax | Fax machines often store the faxed messages in memory, potentially allowing unauthorized access. Avoid faxing Restricted Use data where possible. If a fax must be used, include a cover sheet stating that the fax is Restricted Use and to be read only by the named recipient. Also, coordinate with the intended recipient so he or she is on hand to directly receive the fax before you begin to send. | |
Smart Phones and tablet devices (such as iPads) | The use of smart phones to access Restricted Use data is strongly discouraged. For example, do not check your secure email from your smart phone. Individuals that must use such a device to access Restricted Use data must comply with the standards set forth in End User Device Minimum Standards. | |
Storing | Paper | Keep in locked filing cabinets in physically secure areas that are accessible only by authorized individuals. Keep the number of copies of the data to a minimum. |
Electronic | Encryption of stored data is required. Devices used to store sensitive (non-Public) information must meet End User Device Minimum Standards. Cloud services may not be used to process or store Restricted Use data unless they have been approved for such use by Director of Information Technology Services and the appropriate Data Owner. | |
Electronic Media (CD, DVD, USB, etc.) | Encryption of stored data is required. Store media in a secure location when not in use. Media should be inventoried upon creation and destroyed as soon as it is no longer needed. | |
Auditing | ALL | Each unit or department must conduct periodic reviews of where Restricted Use data is located, who has access to it, the access control mechanisms, encryption protocols, and data destruction protocols. Verify that procedures for removing access are documented and accurate. |
Incident Reporting | ALL | Any unauthorized disclosure or loss of Restricted data must be immediately reported to the ITS Helpdesk (https://helpdesk.collegeforcreativestudies.edu, 313-664-7818) as well as the immediate supervisor or other available person in chain of authority. |
Destroying | ALL | Review Record Retention Policy and the information in this destruction section before disposing of records. Do not destroy records that are the subject of a litigation hold or that must be retained pursuant to the College record retention policy. |
Paper & Disposable Electronic Media (CDs, DVDs) | Dispose of paper media via College approved shred boxes. Contact Information Technology Service for secure destruction of all physical electronic media. Do not dispose of in the trash, recycle, etc. | |
Electronic Files (Data) Reusable Electronic Storage Devices (USB keys, disk drives) | Contact Information Technology Service for secure destruction of all physical electronic media. Do not dispose of in the trash, recycle, etc. | |
All Electronic Storage Media at End of Life, including Disk Drives | ||
Device End of Lease or End of Life (Printers, Copiers, Multi-function office machines) | Devices such as these often contain hard drives which must be properly erased, or “wiped”, prior to leaving CCS control (returned to the vendor, sent to surplus, donated, disposed of, etc.). For information on how to properly wipe the drive, contact Information Technology Services. |
Employee Information Security Training
The Chief Information Officer and the Privacy and Security Committee will conduct and/or coordinate proactive education and training outreach programs designed to help increase the CCS community’s awareness of information security issues, including the requirements of the Data Protection Standards.
This training is general in nature, providing an overview of information security and the legal and regulatory context in which we operate. It is not intended to replace regulation-specific training that may be required of people conducting specific duties and needing specific information about those duties. For example, FERPA training is and remains the responsibility of the Academic Advising and Registration Office.
The Chief Information Officer will, on an annual basis, send a reminder by email to the faculty and staff of CCS providing a summary of the provisions of the Data Protection Standards, including the monitoring provisions of this document, and including a link which can be reviewed for more details.
Vendors And Service Providers
The Program Coordinator shall coordinate with those responsible for the third-party service procurement activities among the Information Technology Services and other affected departments to raise awareness of, and to institute methods for, selecting and retaining only those service providers that are capable of maintaining appropriate safeguards for nonpublic financial information of students and other third parties to which they will have access. In addition, the Program Coordinator will work with the Director of Information Technology and the Institutional Reporting and Compliance Manager to develop and incorporate standard, contractual protections applicable to third-party service providers, which will require such providers to implement and maintain appropriate safeguards.
Risk Assessment
Security Monitoring and Incident Prevention
The College will test for and work to prevent IT incidents by various means including but not limited to:
- Active scanning of any connected systems;
- Passive scanning of network traffic;
- Network monitoring;
- Analysis of network packets;
- Penetration testing;
- Behavioral/social testing including authorized phishing attempts, use of outside contractors to attempt to gain access to protected information, etc.
All such testing will be performed by the ITS department and/or authorized vendors in accordance with oversight from the Privacy and Security Committee.
Privacy and Security Committee Annual Review
At least annually the Program Coordinator, together with the Committee and/or Data Owners, shall review the Information Security Plan and the Data Protection Standards to assess risk. The items to be reviewed include, but are not limited to the following:
- Access to the College’s database files
- Data storage and disposal (electronic or physical) security
- Record retention policies
- Disaster recovery readiness
- penetration testing reports
- Results of phishing testing
- Employee training participation results
- Any breach of security
- Assess compliance with FTC Safeguard Rules
New safeguards will be implemented for any additional or continuing risks identified during this process and a Committee member will be assigned responsibility for establishing and implementing the new or revised safeguard.
Information Technology Incident Response and Security Monitoring
An Information technology (IT) incident is an event(s) which threatens the integrity, confidentiality, and/or availability of College systems, networks, and/or data. It includes, but is not limited to:
- Loss, suspected loss, or disclosure of data through technical or behavioral means (hacking, malware, phishing, inadvertent unauthorized disclosure over the phone, email, or in person, etc.)
- Technological attacks against College networks or systems including unauthorized scanning, snooping, etc.
- Any suspected virus or malware infection
- Theft or misplacement of any College-owned computing device and/or personal device used to access or store College data
- Misuse of College-owned systems or networks in violation of other policies, including the Acceptable Use of Academic Technologies and Information Technologies Resources policy
- Events that threaten the performance and/or availability of College resources
IT Response
In the event of an IT incident, priorities will be as follows:
- Protect human safety
- Protect College resources
- Contain damage/prevent further loss
- Preserve evidence
- Rectify damage
- Restore services
For CCS Community members
Upon detection of (or suspicion of) an IT incident, do the following:
- Immediately contact the ITS Helpdesk (https://helpdesk.collegeforcreativestudies.edu, 313-664-7818) as well as the immediate supervisor or other available person in chain of authority.
- Communicate as clearly as possible details including name, contact information, what you suspect is happening, type of device, location, IP Address, and any information or data you suspect was lost/compromised.
- Do not turn off or unplug any device unless human safety dictates otherwise or you’re instructed to do so by response personnel.
- If you reasonably suspect loss of data is ongoing, you may unplug the device’s network connection if applicable, but be sure to communicate this when notifying response personnel.
- Do not communicate with anyone about the incident other than response personnel, your supervisor as appropriate, or members of the College’s Privacy and Security Committee without authorization.
- Communication with the media is restricted to the College’s Marketing and Public Relations staff, executive leadership, and legal counsel. Refer any/all media inquiries to: Megan Mesack, Executive Director of Marketing and Communications at 313-664-7666.
Technical staff
Technical staff shall respond with the following priorities and requirements:
- Document/log all actions taken and decision making process at each step from notification to resolution.
- Secure physical location of any breach to avoid further loss.
- Assess the immediate situation. If ongoing loss is not suspected, the priority is to preserve evidence. Do not turn off devices, reboot, remove media, etc. If ongoing loss is suspected, do the minimal possible to stop it (e.g. disconnect network connection vs. turn device off).
- Notify the Chief Information Officer or Director of Information Technology if not already done.
- Assess need for forensic evidence (logs, packet traces, etc.).
- Collect and store any forensic evidence needed.
- Regain control of any compromised system.
- Analyze the event – how did it happen, what could be lost, what else could be compromised, etc. Estimate time/steps to recovery.
- Correct any vulnerabilities that may have allowed the incident to happen or progress.
- Remediate the system(s) as necessary and prepare to return to service.
- Verify system integrity and restore services if safe to do so.
- The Chief Information Officer or Director of Information Technology will notify the members of the Privacy and Security Committee describing the nature of the incident and response. Notification may also include other executive leadership and legal counsel as the situation warrants.
- A written incident and response report will be prepared and submitted to the Privacy and Security Committee as soon as possible after the incident but within 10 days of resolution.
Public and/or Individual Notification of Breach
In the event of a data breach, executive management will consult with legal counsel as necessary to determine the type, nature, and scope of public or individual notification. Such notification will be performed via authorized personnel or legal representatives only and will be in accordance with applicable legal and regulatory standards.
Report to the CCS Board of Trustees
The Program Coordinator will report to the CCS Board of Trustee regarding our compliance status and any related issues or concerns at least annually.
Individual Department Procedures
Academic Advising and Registration
The Academic Advising and Registration Office(AARO) maintains a variety of student academic records that are in both electronic and paper format. Employees in this office are trained to protect the privacy of students’ records and are well versed in the Family Educational Rights and Privacy Act (FERPA), the federal law that protects the privacy of educational records and defines proper release of that information.
Electronic records are maintained in Colleague, the student information system, and ImageNow, the document imaging system. Changes to those records are made only by authorized personnel. Access to both systems is via a password, and each employee must be trained in the proper use of the system before access to the system is granted.
AARO also maintains a variety of confidential paper records. Student transcripts date back to 1926, the date the institution started offering four-year certificates, and are stored in filing cabinets in a secure room in the lower level of the building. AARO is in an ongoing process of scanning archived student records into Image Now. Work papers and other documents containing private information are shredded following their use. The office is locked during non-business hours.
For additional information, call AARO at (313) 664-7672.
Academic Affairs
The CCS Office of Academic Affairs adheres to the Family Educational Rights and Privacy Act (FERPA) guidelines established by federal law to protect the privacy of student education records. Disclosure of student information under FERPA is limited to what is termed “directory information,” that is, information contained in education records that would not generally be considered harmful or an invasion of privacy if disclosed, unless the student expressly grants permission in writing. CCS defines directory information as a student’s name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. Academic Affairs may use this information to compile the Dean’s and President’s Lists and to provide companies information related to a sponsored project. Outside of Directory Information, Academic Affairs does not disclose personally identifiable information about students without a completed, signed Student Information Release Authorization on file in the Academic Advising and Registration Office. Academic Affairs always verifies that a completed, signed Authorization form is on file in the Academic Advising and Registration Office prior to disclosing any information about a student beyond directory information.
The Office of Academic Affairs handles confidential items, such as student complaints, in a shared drive that requires login to a secure network accessible to authorized staff in the office. Any concern that arises out of Student Assembly that necessitates an Academic Affairs response is maintained on the shared network site.
Academic Departments/Classroom
CCS ensures the privacy of student information in academic departments and within the classroom through the following measures:
- Secure login to the classroom management system, Canvas. Canvas allows instructors the ability to develop announcements, course content, assessments, and manage classroom grades. Through secure login students have access to this information as well as the ability to have online discussions and chats with only their classmates and instructor. Students do not have access to one another’s information protected under FERPA, such as grades, instructor/student personal communications, attendance records, etc. unless the student elects to disclose it.
- Faculty submit midterm and final grades, along with attendance, through password protected information systems, Self-Service and Canvas. Self-Service is a portal to our student information system, Colleague. A password and training on proper use is part of the onboarding process for program managers and staff members.
- Campus email offered through Google requires CCS students, faculty, and staff to login. CCS email is the official communication mechanism at the College.
Admissions Office
The Office of Admissions obtains and collects a variety of different information for prospective College students through a variety of stages and in different formats. The types of data that are collected include, but are not limited to:
Prospect Stage
- Purchased information of high school students and graduates, college students intending to transfer, undergraduate students and career professional looking to attend a graduate program
Inquiry State
- General inquiries from prospective students.
Applicant Stage
- Applications from prospective students
- advanced placement examination information
- portfolio submissions from prospective students
- standardized test results for prospective students
- letters of recommendation for prospective graduate students
- personal statements for prospective graduate students
- resume/CV for prospective graduate students
- immigration documentation of prospective international students
- high school and/or college transcripts of prospective students
Admission Stage
- Applications from re-admit students; and
- college transcripts of admitted students.
All student records that are stored within the Office of Admissions are covered under the Family Educational Rights and Privacy Act of 1974 (FERPA) and those guidelines establish release of student information. In addition to FERPA regulations, the Office of Admissions has the following policies and procedures in practice to protect information:
- Electronic data – All data are received on media or received electronically (downloaded) using industry standard privacy software. Admissions Support Staff and select IT staff members are responsible for transferring data to the TargetX student recruitment system, and the Colleague student information system. Colleague student information system security is maintained by the Office of Information Technology Services (ITS). All electronic data that is received on media that is subject to a disposal requirement is destroyed within the office prior to disposal making the media unreadable; no such media is to be recycled for re-use.
- Hard copy – A minimum number of hard copy documents are maintained within the office until the student is enrolled at CCS, at which time the records are moved to the Academic Advising and Registration Office. Records of students who do not matriculate are held for two years or until they do matriculate. If the student does not matriculate, the records are destroyed after two years. All hard copy documentation that is considered for disposal is shredded using a third-party shredder company. All information that is to be disposed of that contains student information is shredded within the office. All personnel are required to read and abide by office procedures on student record information including FERPA regulations. Training agendas include a component on information security.
For additional information, please contact the Office of Admissions at (313) 664-7425.
Business Office
The Business Services Office maintains financial records for the Cashiers, Accounts Receivable, Accounts Payable, Purchasing, and Payroll functions of the College. These records include both electronic and paper records. The Business Services Office is in a secure, locked environment with video surveillance. Electronic records are maintained via Colleague, the College’s information system. Paper records are maintained in locked filing cabinets.
The College receives credit card information for payment of tuition and fees via secure websites, the credit card number is encrypted. Every CCS employee or volunteer responsible for taking credit card payments has a background check done and is required to complete and sign a CCS Credit Card Security Agreement. The College never keeps a hard copy of credit card information. Email should never be used to transmit credit card or personal information. Credit card or personal payment information is never downloaded onto any portable devices including, but not limited to USB flash drives or laptop computers.
The College uses service providers for collections. We oversee service providers by taking steps to select and retain providers that are capable of maintaining appropriate safeguards for customer information. Additional safeguards in place include:
- The Business Services Office checks references prior to hiring employees who will have access to customer information and requires a background check;
- Computers are password protected.
- Desks must be cleared at end of workday of any paperwork containing personal information; as well as computers must be signed out or locked whenever an employee leaves their desk area.
For additional information, please contact the Business Services Office at (313) 664-7435.
Campus Safety – Creation of CCS Student ID Cards
Campus Safety maintains a database containing Student, Staff and Faculty information for the creation of the “SmartCard” ID. This information is manually imported from the colleague system at the beginning of each semester.
Current Information includes a users photo, name, address, telephone, student/employee ID and SmART Card Number.
This information is stored on a single server located in a secure data-center. Login Access to the physical server is limited to Information Technology, and an authorized Contractor.
Client computers containing software to access the badging information system are limited to both Campus Safety offices, Campus Safety Assistant Directors offices, and the office of the Assistant Director of Information Technology.
Access via the client application to the badging system information is limited to the Campus Safety Assistant Directors, Director of Campus Safety, Command Center Officers, Director and Assistant Director of Information Technology, Facilities Coordinator, and authorized Contractors.
Financial Aid Office
Confidential information is any information pertaining to the students’ financial aid eligibility. This includes information submitted on the FAFSA, IRS tax forms, and other financial documents as well as any information pertaining to the students’ financial aid award, grades, and any professional judgment documents that are collected.
Only authorized school officials have access to financial aid information. The information is located on the Colleague Student Financial Aid system. The Director of Financial Aid authorizes access to individuals on an as-needed basis. Said individuals must log on with credentials assigned to them for their sole use. Hard copy information is filed by social security number and is kept in filing cabinets in the back of the office in locked drawers. The office is locked during non-office hours.
The Department of Education requires that safeguard procedures are in place in order for the institution to be eligible for Federal Financial Aid.
For additional information, call the Financial Aid Office at (313) 664-7496.
Human Resource Office
A master personnel record containing administrative staff, student staff, and other pertinent data is maintained in the Human Resources office. The Human Resources office maintains records concerning employment, performance, payroll, benefits, and other miscellaneous items. No information, except verification of employment dates, will be released to outside sources without the employee’s written authorization unless disclosure is required by subpoena or court order or is necessary to meet some legal obligation of CCS. A written authorization from the employee is required for the Human Resources office to release salary information. It is each staff member’s responsibility to inform the Human Resources office of any changes in the following: name, address, telephone, marital status, dependents, beneficiaries, and emergency contacts. Administrative staff have the right to review their Personnel Record in the Human Resources office, with a prior appointment. These Personnel Records are confidential and may only be reviewed by the administrative member, or the appropriate supervisory personnel of the administrative staff member.
Residence Life/Student Affairs Office
The following information about students is maintained in the Department of Housing and Residence Life through the database of our Residence Life Management software Mercury Housing:
- Records related to students’ living preferences and individual needs
- Records related to room assignment, room registration, room occupancy, and applications to live on campus
- Records related to financial obligations, billing, and payment information for damages to residence hall rooms and facilities
Records related to Emotional Support Animals and Disabilities Support are maintained in both electronic format and hard copy. Specific storage and security measures are in place as follows:
- Hard copy records are maintained in locked cabinets within relevant staff member offices (Director of Residence Life and Dean of Students)
- Electronic records are maintained in personal network drives that require login credentials or in personal email files that require login credentials.
Records related to disciplinary matters that are maintained in hard copy form are stored in the offices of the appropriate Judicial Official and are kept in locked file cabinets. Electronic disciplinary records are maintained through a secure platform that requires login and active credentials through the software platform Maxient. Only institutional employees with judicial process responsibilities have access to these judicial records.
Information disclosed in individual counseling sessions must remain confidential, unless written permission to divulge the information is given by the student. However, all staff members must disclose to appropriate authorities, information judged to be of an emergency nature, especially when the safety of the individual or others is involved. Information contained in students’ educational records must not be disclosed to extra-institutional third parties without appropriate consent, unless classified as “Directory” information or when the information is subpoenaed by law.
Counseling records are maintained in hard copy. Active counseling files (students seen within the last 2 years) are kept in locked cabinets in the office of the individual counselor. Inactive counseling files (students not seen within the last 2 years) are kept in locked cabinets within the Student Affairs Office. All counseling files include a copy of the Informed Consent regarding student privacy policies.
Confidentiality – staff ensure that confidentiality is maintained with respect to all privileged communications and to educational and professional records considered confidential. They inform all parties of the nature and/or limits of confidentiality. Staff share information only in accordance with institutional policies and relevant statutes, when given informed consent, or when required to prevent personal harm to themselves or others.
For additional information, please contact the Dean of Students at
(313) 664-7675.